|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: PGP kerserver infrastructure
> L. Sassaman: Saturday, July 01, 2000 2:44 PM > On Sat, 1 Jul 2000, Bennett Todd wrote: > > > The real difference between the two is that S/MIME is based on the > > model of creating and subsidizing an artificial monopoly for the > > CAs, while PGP is not. Unless you're a CA, it's an easy choice:-). > > And to expound upon this a little, CAs have artificially set > PGP up as a > competitor to their existance. CAs could easily embrace PGP > and offer PGP > services along with S/MIME and TLS. They choose not to, since > PGP makes > CAs optional (not obsolute, however). First, I should state that I am NOT a Verisign fan. Quite the opposite. However, commercial CAs don't have a lock on being CAs. Ergo, monopoly issues do not apply here. In fact, most uses of a CA, within an organization, are in the line of validating that the user belongs to that organization, or is associated somehow (ie. extra net access). There is no need for such an org to pay for a commercial cert as they can be their own CA. This is much like what randy is proposing for NANOG folks. NANOG, actually merit, could fire up such a CA and NANOG folk could use it. A common key format would allow certs to be issued for SSL as well as S/MIME uses. OpenSSL actually allows you to generate a key/CRL/etc that works both for S/MIME and SSL. The CA software is also open-sourced via OpenCA. Now there may be issues of taste, with not wanting to run a CA based on perl scripts. But the fact of the matter is that the population of NANOG would not stress such a system, even on a 486 Linux box. There is even a perl compiler that works with mod_perl.
|